Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A host computer comprising: a memory; and a processor configured to: implement a workspace, the workspace being configured to enable operation of a first set of one or more applications or processes via a first memory space; implement an isolated computing environment, the isolated computing environment comprising a sandboxed computing environment being configured to enable operation of a second set of one or more applications or processes via a second memory space; isolate the isolated computing environment from the workspace using an internal isolation firewall; process communications exchanged between the host computer and a network to which the host computer is connected using a host-based firewall, wherein the host-based firewall is configured to implement a first policy for communications associated with the isolated computing environment and a second policy for communications associated with the workspace; determine a relative location of the host computer; select an authentication procedure for authenticating the isolated computing environment with a server based on the determined relative location of the host computer; and authenticate the isolated computing environment with the server in accordance with the selected authentication procedure.
2. The host computer of claim 1 , wherein the relative location of the host computer is determined based on whether the network that the host computer is connected to is a predetermined trusted network.
3. The host computer of claim 1 , wherein the second policy implemented by the host-based firewall is based on the relative location of the host computer, wherein: the second policy allows an outgoing communication from the first set of one or more applications associated with the workspace to the network on condition that the network is determined to be a predetermined trusted network, and the second policy blocks the outgoing communication from the first set of one or more applications associated with the workspace to the network on a condition that the network is determined not to be the predetermined trusted network.
4. The host computer of claim 1 , wherein a first authentication procedure is selected if the network is a predetermined trusted network and a second authentication procedure is selected if the network is not the predetermined trusted network, wherein the server is accessed using a first network address when using the first authentication procedure and the server is accessed using a second network address when using the second authentication procedure.
This invention relates to a host computer system that dynamically selects authentication procedures based on network trust levels. The system determines whether a network is a predetermined trusted network and selects a first authentication procedure if the network is trusted, or a second authentication procedure if it is not. The first authentication procedure uses a first network address to access a server, while the second authentication procedure uses a second network address. This approach enhances security by ensuring that more stringent authentication is applied when the network is untrusted, while optimizing access efficiency for trusted networks. The system may also include a network interface for detecting the network type and a processor for executing the authentication procedures. The invention addresses the challenge of balancing security and usability in network access by adapting authentication methods based on network trustworthiness, reducing unnecessary authentication steps for trusted environments while maintaining robust security for untrusted networks.
5. The host computer of claim 4 , wherein the first authentication procedure utilizes a username/password authentication, and the second authentication procedure utilizes one or more of a NT LAN manager (NTLM) authentication, a KERBEROS authentication, a certificate-based authentication, a shared keys authentication, a two-factor authentication (TFA), a biometric authentication, a behavioral authentication, a secure socket layer (SSL) authentication, and a MAC address authentication.
6. The host computer of claim 1 , wherein a first authentication procedure is selected if the network is a predetermined trusted network, the first authentication procedure utilizing one or more of a username/password authentication, a NT LAN manager (NTLM) authentication, a KERBEROS authentication, a certificate-based authentication, a shared keys authentication, a two-factor authentication (TFA), a biometric authentication, a behavioral authentication, a secure socket layer (SSL) authentication, and a MAC address authentication, and wherein a second authentication procedure is selected if the network is not the predetermined trusted network, the second authentication procedure utilizing one or more of the username/password authentication, the NTLM authentication, the KERBEROS authentication, the certificate-based authentication, the shared keys authentication, the TFA, the biometric authentication, the behavioral authentication, the SSL authentication, and the MAC address authentication that the first authentication procedure is not utilizing.
7. The host computer of claim 1 , wherein the second set of one or more applications or processes associated with the isolated computing environment are prevented from communicating with an untrusted network destination prior to authenticating with the server, and the second set of one or more applications or processes associated with the isolated computing environment are allowed to communicate with the untrusted network destination after authenticating with the server.
This invention relates to secure computing environments, specifically a host computer system that manages isolated computing environments with controlled network access. The problem addressed is ensuring that applications or processes within an isolated environment cannot communicate with untrusted network destinations until they are properly authenticated, thereby enhancing security by preventing unauthorized or malicious network traffic. The host computer system includes a server that enforces authentication requirements for network access. Applications or processes within the isolated computing environment are initially restricted from communicating with untrusted network destinations. Only after successful authentication with the server are these applications or processes permitted to establish network connections to untrusted destinations. This mechanism ensures that no network traffic can occur without prior verification, reducing the risk of data leaks, unauthorized access, or attacks originating from or targeting the isolated environment. The system may also include additional security measures, such as monitoring network traffic, enforcing access policies, and logging authentication events. The isolated computing environment operates independently of the host system's primary environment, further isolating potentially vulnerable applications or processes. This approach is particularly useful in scenarios where untrusted or third-party applications must be executed securely, such as in cloud computing, virtualized environments, or enterprise security frameworks. The invention improves security by enforcing strict authentication before allowing any network communication, thereby mitigating risks associated with untrusted network interactions.
8. The host computer of claim 7 , wherein the isolated computing environment is configured to classify a network destination as trusted or untrusted based on one or more whitelist comprising a list of trusted network destinations or a blacklist comprising a list of untrusted network destinations.
9. The host computer of claim 1 , wherein determining the relative location of the host computer comprises one or more of determining a unique local area networking address of the network the host computer is connected to, determining a network identification of the network the host computer is connected to, using a global position system (GPS) technique, determining a MAC address of at least one device on the network that the host computer is connected to, and determining that the host computer has connectivity with one or more known devices on the network.
10. A server, the server comprising: a memory; and a processor configured to send one or more downloadable executable files to a host computer, wherein when the one or more downloadable executable files run on the host computer, the one or more downloadable executable files configure the host computer to: implement a workspace, the workspace being configured to enable operation of a first set of one or more applications or processes via a first memory space; implement an isolated computing environment, the isolated computing environment comprising a sandboxed computing environment being configured to enable operation of a second set of one or more applications or processes via a second memory space; isolate the isolated computing environment from the workspace using an internal isolation firewall; process communications exchanged between the host computer and a network to which the host computer is connected using a host-based firewall, wherein the host-based firewall is configured to implement a first policy for communications associated with the isolated computing environment and a second policy for communications associated with the workspace; determine a relative location of the host computer; select an authentication procedure for authenticating the isolated computing environment with an authentication server based on the determined relative location of the host computer; and authenticate the isolated computing environment with the authentication server in accordance with the selected authentication procedure.
11. The server of claim 10 , wherein the relative location of the host computer is determined based on the network that the host computer is connected to and based on whether the network to which the host computer is connected is a predetermined trusted network.
This invention relates to a server system for determining the relative location of a host computer within a network environment. The problem addressed is the need to accurately assess the physical or logical proximity of a host computer to a server, particularly in scenarios where network security and access control are critical. The solution involves determining the host computer's relative location based on the specific network it is connected to and whether that network is a predetermined trusted network. The server system includes a network interface for receiving connection requests from the host computer and a processor configured to analyze the network connection details. The processor identifies the network to which the host computer is connected and checks if it matches a predefined list of trusted networks. The relative location is then determined by evaluating the network's trust status and its position within the network topology. This approach enhances security by restricting access or applying different policies based on the host computer's network context, ensuring that only trusted networks are granted certain privileges. The system may also include additional components for logging, authentication, and policy enforcement to further secure the network environment.
12. The server of claim 10 , wherein the second policy implemented by the host-based firewall is based on the relative location of the host computer, wherein: the second policy allows an outgoing communication from the first set of one or more applications associated with the workspace to the network on condition that the network is determined to be a predetermined trusted network, and the second policy blocks the outgoing communication from the first set of one or more applications associated with the workspace to the network on a condition that the network is determined not to be the predetermined trusted network.
13. The server of claim 10 , wherein a first authentication procedure is selected if the network is a predetermined trusted network and a second authentication procedure is selected if the network is not a predetermined trusted network, wherein the authentication server is accessed using a first network address when using the first authentication procedure and the at least one authentication server is accessed using a second network address when using the second authentication procedure.
14. The server of claim 13 , wherein the first authentication procedure utilizes username/password authentication and the second authentication procedure utilizes one or more of a NT LAN manager (NTLM) authentication, a KERBEROS authentication, a certificate-based authentication, a shared keys authentication, a two-factor authentication (TFA), a biometric authentication, a behavioral authentication, a secure socket layer (SSL) authentication, and a MAC address authentication.
15. The server of claim 10 , wherein a first authentication procedure is selected if the network is a predetermined trusted network, the first authentication procedure utilizing one or more of a username/password authentication, a NT LAN manager (NTLM) authentication, a KERBEROS authentication, a certificate-based authentication, a shared keys authentication, a two-factor authentication (TFA), a biometric authentication, a behavioral authentication, a secure socket layer (SSL) authentication, and a MAC address authentication, and wherein a second authentication procedure is selected if the network is not the predetermined trusted network, the second authentication procedure utilizing one or more of the username/password authentication, the NTLM authentication, the KERBEROS authentication, the certificate-based authentication, the shared keys authentication, the TFA, the biometric authentication, the behavioral authentication, the SSL authentication, and the MAC address authentication that the first authentication procedure is not utilizing.
16. The server of claim 10 , wherein the second set of one or more applications or processes associated with the isolated computing environment are prevented from communicating with an untrusted network destination prior to authenticating with the authentication server, and the second set of one or more applications or processes associated with the isolated computing environment are allowed to communicate with the untrusted network destination after authenticating with the authentication server.
17. The server of claim 16 , wherein the isolated computing environment is configured to classify a network destination as trusted or untrusted based on one or more of a whitelist comprising a list of trusted network destinations and a blacklist comprising a list of untrusted network destinations.
18. The server of claim 10 , wherein determining the relative location of the host computer comprises one or more of determining a unique local area networking address of the network the host computer is connected to, determining a network identification of the network the host computer is connected to, using a global position system (GPS) technique, determining a MAC address of a device on the network that the host computer is connected to, and determining that the host computer has connectivity with one or more known devices on the network.
19. A method for authenticating a communication between a host computer and a network, the method comprising: implementing a workspace, the workspace being configured to enable operation of a first set of one or more applications or processes via a first memory space; implementing an isolated computing environment, the isolated computing environment comprising a sandboxed computing environment being configured to enable operation of a second set of one or more applications or processes via a second memory space; isolating the isolated computing environment from the workspace using an internal isolation firewall; processing communications exchanged between the host computer and a network to which the host computer is connected using a host-based firewall, wherein the host-based firewall is configured to implement a first policy for communications associated with the isolated computing environment and a second policy for communications associated with the workspace; determining a relative location of the host computer; selecting an authentication procedure for authenticating the isolated computing environment with a server based on the determined relative location of the host computer; and authenticating the isolated computing environment with the server in accordance with the selected authentication procedure.
20. The method of claim 19 , wherein the second set of one or more applications or processes associated with the isolated computing environment are prevented from communicating with an untrusted destination prior to authenticating with the server, and the second set of one or more applications or processes associated with the isolated computing environment are allowed to communicate with the untrusted destination after authenticating with the server.
Unknown
February 23, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.